Privacy & Security Tips

November, 2025

Are physicians at risk when uploading patient information to insurance portals?

Physicians are increasingly being asked to upload forms or documents containing personal health information to insurance or third-party portals. These platforms often claim they're "PHIPA- and PIPEDA-compliant," but how can physicians be sure? What happens if there is a privacy breach?

When physicians send patient information through these portals, they are doing so at the patient's direction — not for their own purposes. Patient consent governs the disclosure, and by asking physicians to upload the information, patients have already given their consent (which is usually implied). In this situation, physicians are essentially acting as agents for patients, not as independent data controllers.

Because of this, the privacy risk does not fall on physicians. Insurers or portal providers — the parties collecting and storing the data — are responsible for meeting privacy and security requirements under PHIPA and PIPEDA. It is also reasonable for physicians to rely on assurances of compliance from insurers or portal providers.

Key takeaways:

• Patients direct the disclosure and assume the risk.
• Insurers and/or portal providers must ensure compliance.
• Physicians can rely on representations of compliance from insurers and/or portal providers.

The bottom line: while privacy vigilance is always important, physicians can upload patient forms or documents with confidence, with no additional action required.